Initially I planned this first post (and I didn't know how many posts I would need to prepare), for topic:RBAC policy for tcpdumpviewtopic.php?f=5&t=4301because I figured out important little "tweak" (or what to call it) for the learning on role tcpdump, without which, as it appears to me, there are issues left, tcpdump doesn't work correctly under RBAC.

Then I thought it has too little to do with tcpdump, even though it contains the important "tweak", but rather should belong into the topic:

However, these posts also are related to my Libvirt topic (link given above), and they build on the explanations given there, to a large extent. E.g. the version grsec_170310_g0n_00 is one of the last versions of my /etc/grsec/policy that I explained in that topic how I attained it.

I bet some readers figured out here that I like suspense and I don't like fiction or incompleteness (when I can). All of this is from real life. Later there will be, only for purposes of explanation, a few grsec policy files that weren't run, but the final "product" to show is always to do with real life.

I really don't know if I got good and functioning results in the /etc/grsec/policy learned from those...

You can see from the learning.logs that it may have been sufficiently long learning: from:

that's 68 traces made, but I had a crash, and I simply fit in another same cloned system hard disk [1], updated it with newly gotten stuff from the internet (that's always relatively a lot of work; cloning itself is simple, but getting again at the same place in your interactions with the internet in the cloned system, that's what spends the most of your time)...

So, I [updated it with newly gotten stuff from the internet], but it various stuff, and you're bound to forget some... And I did forget to update exactly that guy: the /etc/grsec/learning.logs.

But I can remedy. I have the previous, crash system's dd dumped partitions.

And I'll do an experiment.

I recovered from the dd dumped system, now inexistent, frozen in dd for some more time JIC ([J]ust [I]n [C]ase), that's the older one:

[...add the new stuff of the latest system's learning.logs to the untouched previous system's learning.logs], and place it in /etc/grsec/learning.logs, and then disable grsec, and do the learning output.

So, there is the common, identical part, of the learning.logs of both the new and the previous (the crashed) system. It is identical in both, because both of them are clones of the same master, my Air-Gapped that never sees any internet. And I'll simply add the additions of the old, and of the new to it.

[Still more work] remaining because I haven't fully deployed libvirt protected under grsecurity's protection, and I don't know whether to leave its programs subjects under learning, because I've been running mostly pure Qemu since days now... With apparently no issues (the crash I think was related to virtualization, but there wasn't much in the logs at all, and I didn't investigate)...

There I two goals that I set to accomplish with these last five posts (this is 5th post today in this topic): get the learned tcpdump policies done, and get just qemu related programs' learned policies done.

I think, but I don't know for sure, that I should post these posts in the topic on Libvirt virtualization policies, because it builds mostly on matters solve in that topic, and just link to Libvirt virtualization topic from the tcpdump topic.

Because I hope tcpdump will now start working correctly under grsecurity. (Did I forget to say it would lose packets, and that I turned to using dumpcap instead... I think I forgot... But, yes, that was the case, and I never found time to investigate why, but it probably is because of the user and group not having been learned.)

The more work, however, consists in editing the policies that grsecurity automatically made.

added by gradm at the very end of the /etc/grsec/policy which I installed right before running the outputting of the learned policies.

And I also removed all the libvirt subjects whatsoever. Still not working, remains under learning. What else to do... Currently not using libvirt... Only pure Qemu.

Next change... (Oh, pls. bear in mind that these are step changes for purposes of explanation. These would not be functional on their own! If I weren't posting (and posting with newbies in mind ), I would have done all of these changes in one go.diff -u30 ./grsec_170405_g0n_02 ./grsec_170405_g0n_03

(and I removed it in the next diff), because that subject is plain wrong... That's temporary install during building of qemu... Maybe that partly expains similar subjects that I had in connection with port 80 and port 0 denied lines...

( but I wasn't able to find the reference to /var/tmp/... there. Pls. forgo this remark above for now... And I'll mark it with:LINK herein case I do find out where I had such /var/tmp/portage/ ... stuff )

Error on line 4851 of /etc/grsec/policy:Object /home/miro needs to be specified in the same subject as globbed object /home/miro/*.img.The RBAC system will not be allowed to be enabled until this error is corrected.

Passed. I don't say that tcpdump will now work (only: it is likely it will), and that there remain no issues, but maybe some of them are now solved.

If I'm not back sooner rather than later, probably it goes as expected. I trace all the time, and also like to play with Qemu, so I'll know pretty soon. Again, if I'm not back sooner than later, it likely works.